Skip to content

Configure the Splunk Add-on for Microsoft Windows

The Splunk Add-on for Microsoft Windows must be configured with configuration files. You can configure the add-on manually or push a configuration with a deployment server. See deploy the Splunk Add-on for Microsoft Windows with Forwarder Management

The default configuration files for the Splunk Add-on for Microsoft Windows reside in %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\default. Do not edit the files in this directory because Splunk overwrites them whenever you upgrade the add-on. Create configuration files in the %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local directory and make your edits there

Only modify input stanzas whose defaults you want to change. If you do not edit any files, the add-on does not collect any Windows data

For more information about configuration files, see Documentation:Splunk:Admin:Aboutconfigurationfiles|About configuration files in the Splunk Enterprise Admin Manual

Configure props.conf

To reduce index volume, use the following best practice. Windows 5.0.1 and higher provides an option to remove extra text and normalize inappropriate values in both Classic and XML WinEventLog events by using SEDCMD

The SEDCMD configurations are commented in default/props.conf. The explanation for each SEDCMD extraction is under the ##### Explanation line in each of the following stanzas:

[source::WinEventLog:System]
[source::WinEventLog:Security]
[source::WinEventLog:ForwardedEvents]
[WMI:WinEventLog:System]
[WMI:WinEventLog:Security]

Configure event cleanup best practices in props.conf

Remove extra text and normalize inappropriate values in both Classic and XML WinEventLog events using SEDCMD. You can use the extractions by copying the lines beginning with SEDCMD- in these stanzas from default/props.conf and pasting them in local/props.conf. For each one you want to use, uncomment the line

  1. On your Splunk platform deployment, create or navigate to %SPLUNK_HOME%/etc/apps/Splunk_TA_windows/local/props.conf:
 [source::WinEventLog:System]
     SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g

 [source::WinEventLog:Security]
     SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
     SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
     SEDCMD-cleansrcip = s/(Source Network Address:    (\:\:1|127\.0\.0\.1))/Source Network Address:/
     SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
     SEDCMD-remove_ffff = s/::ffff://g
     SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
     SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
     SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g

#For XmlWinEventLog:Security
     SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
     SEDCMD-cleanxmlsrcip = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/

 [source::WinEventLog:ForwardedEvents]
     SEDCMD-remove_ffff = s/::ffff://g
     SEDCMD-cleansrcipxml = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/
     SEDCMD-cleansrcportxml=s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
     SEDCMD-clean_rendering_info_block = s/<RenderingInfo Culture='.*'>(?s)(.*)<\/RenderingInfo>//

 [WMI:WinEventLog:System]
     SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g

 [WMI:WinEventLog:Security]
     SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
     SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
     SEDCMD-cleansrcip = s/(Source Network Address:\s*(\:\:1|127\.0\.0\.1))/Source Network Address:/
     SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
     SEDCMD-remove_ffff = s/::ffff://g
     SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
     SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
     SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g
  1. Save your changes.

Configure indexes.conf

The indexes.conf file was removed in the Splunk Add-on for Microsoft Windows version 5.0.0. See Upgrade the Splunk Add-on for Microsoft Windows

Configure inputs.conf

Before the Splunk Add-on for Microsoft Windows can collect data, you must configure inputs.conf and change the disabled attribute for the stanzas you want to enable to 0

Note

The [admon] input should only be enabled on one domaincontroller in a single domain. The [admon] input directly queries the Active Directory domain controllers. Enabling this input on multiple Splunk instances can disrupt your Active Directory servers and eventually make them unresponsive, preventing users from accessing needed services.

  1. If %SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\local\inputs.conf does not exist, create it.
  2. Using a text editor, open the inputs.conf in local for editing.
  3. Enable the inputs that you want the add-on to collect data for by setting the disabled attribute for those input stanzas to 0.
  4. Save the file and close it.
  5. Copy the contents of the Splunk_TA_windows directory to %SPLUNK_HOME%\etc\apps on other forwarders or use a deployment server and Forwarder Management to distribute the add-on to other forwarders in your deployment.

Configure Windows Update Logs in inputs.conf

Note

The following may cause data duplication.

Windows 8, Windows 8.1, Windows Server 2012, Windows 2008R2, and Windows 2012R2 overwrite the WindowsUpdate.Log file after it reaches a certain size, and then truncate the log file from the beginning. The size of the truncation depends on the size of new events

Note

The following applies only to Windows 10 and Windows Server 2016.

Event Tracing for Windows (ETW) generates Windows Update logs in Windows 10 and Windows Server 2016. In versions 5.0 and 5.0.1 of the Splunk Add-on for Microsoft Windows, this process was manual. Version 6.0.0 of the Splunk Add-on for Microsoft Windows generates WindowsUpdate.Log files automatically and at regular intervals

Start collecting WindowsUpdate.Log data automatically:

  1. Copy the following stanzas from default/inputs.conf to local/inputs.conf:
## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
## This stanza automatically generates WindowsUpdate.log every day
[powershell://generate_windows_update_logs]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 1

## This stanza monitors the generated WindowsUpdate.log in Windows 10 and Server 2016
[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
disabled = 1
sourcetype = WindowsUpdateLog
  1. Enable both inputs by setting disabled = 0.

The WindowsUpdate.Log file is generated and monitored from $SPLUNK_HOME_TA_windows.

Configure File System change notifications in inputs.conf

To monitor a specific file or folder in the file system and index all change notifications in your Splunk instance, add a new stanza in inputs.conf:

[fschange:<path to monitor>]
signedaudit = <true|false>

Change notifications will be indexed with sourcetype fs_notification

Render Windows Event Log events in Classic

You can configure the Splunk Add-on for Microsoft Windows to render Windows Event Log events in Classic format. Version 6.0.0 of the Splunk Add-on for Microsoft Windows renders Windows Event Log events in eXtensible Markup Language (XML) format by default.

Enable Classic Event Log events:

  1. If %SPLUNK_HOME%_TA_Windows.conf does not already exist, create it.
  2. Using a text editor, open both %SPLUNK_HOME%/etc/apps/Splunk_TA_Windows/default/inputs.conf and %SPLUNK_HOME%/etc/apps/Splunk_TA_Windows/local/inputs.conf for editing.
  3. Copy the Event Log monitoring stanzas whose defaults you want to change from %SPLUNK_HOME%/etc/apps/Splunk_TA_Windows/defaults/inputs.conf to %SPLUNK_HOME%/etc/apps/Splunk_TA_Windows/local/inputs.conf.
  4. Add the following line to Event Log monitoring stanzas for which you want to generate Classic Event Log events:renderXml = 0. For example, if you want the Security Event Log channel to render events in Classic, the Security Event Log stanza should look like this:
[WinEventLog://Security]
index=security
current_only=1
evt_resolve_ad_obj=0
renderXml=0
disabled=0
  1. Save the %SPLUNK_HOME%_TA_Windows.conf file and close it.
  2. Deploy the add-on manually by copying the entire Splunk_TA_windows folder to %SPLUNK_HOME% on other Splunk Enterprise Instances, or use Forwarder Management to distribute the add-on to all forwarders in your deployment.

Collect data for forwarded Windows Event Logs using Windows Event Forwarding

The Splunk Add-on for Microsoft Windows supports collecting forwarded Windows Event Logs in the default Forwarded Events channel of the Windows Event Viewer

To collect data for the Forwarded Events channel, perform the following steps:

  1. Enable Windows Remote Management on a Windows Server 2008 or later collector Windows machine.
  2. Create a subscription in the collector Windows machine and set the destination log as Forwarded Events.
  3. Copy the following input stanzas in default/inputs.conf to local/inputs.conf and enable them:
[WinEventLog://ForwardedEvents]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true

Note

To identify the source of forwarded events, use the host field.

Note

The Splunk Add-on for Microsoft Windows 5.0.x supports only XML format for the collection of WinEventLogs using WEF. If you collect forwarded Windows event logs in plain text format, you might experience issues with indexed events and their extractions.

For performance information and considerations, refer to the Performance reference for the Splunk Add-on for Microsoft Windows.

When the Windows collector machine collects forwarded security, system, and application events, the forwarded events contain an additional stanza in the Event Viewer in XML view that causes field extractions to be multi-valued. To resolve this, copy #SEDCMD-clean_rendering_info_block = s/<RenderingInfo Culture='.*'>(?s)(.*)&lt;/RenderingInfo&gt;// in the [source::WinEventLog:ForwardedEvents] stanza from default/props.conf to local/props.conf, and uncomment it.

Collect perfmon data and wmi:uptime data in metric index

The Splunk Add-on for Microsoft Windows supports metric indexes for the following source types:

  • Perfmon:CPU
  • Perfmon:DFS_Replicated_Folders
  • Perfmon:DNS
  • Perfmon:ProcessorInformation
  • Perfmon:LogicalDisk
  • Perfmon:Memory
  • Perfmon:Network
  • Perfmon:Network_Interface
  • Perfmon:NTDS
  • Perfmon:PhysicalDisk
  • Perfmon:Process
  • Perfmon:Processor
  • Perfmon:System
  • WMI:Uptime

Prerequisites

  • Splunk Enterprise 7.0 or later
  • Create a metric index for the supported sourcetype for which you would like to collect data

Collect perfmon data in a Splunk metric index

  1. In inputs.conf, replace the mode=multikv line from the supported Perfmon sourcetype with mode=single.
  2. In the same stanza, add a new line index=metric_index_name with the name of the metric index: 
    [perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = metric_poc
  3. Restart your Splunk Enterprise to enable the new configuration.

Collect WMI:Uptime data in a Splunk metric index

  1. In wmi.conf, add a new line index=metric_index_name with the name of the metric index in the WMI:Uptime sourcetype.
  2. Restart Splunk Enterprise to enable the new configuration.

Collect BIOS data from the Windows Host Machine

The Splunk Add-on for Microsoft Windows supports collecting BIOS data from the Windows Host Machine Follow the steps to collect wmi:bios data in a Splunk index:

  1. Copy the following stanzas from default/inputs.conf to local/inputs.conf

[powershell://windows_bios_data]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\windows_bios_data.ps1"
schedule = 0 */24 * * *
source = Powershell
sourcetype = win:bios
disabled = 1
2. Configure the input by setting disabled = 0.